CVE-2020-6859

Name of the Vulnerable Software and Affected Versions Ultimate Member plugin versions prior to 2.1.3

Description The issue allows remote attackers to change other users' profiles and cover photos via a modified user id parameter. This is related to ajax image upload and ajax resize image functions.

Recommendations For Ultimate Member plugin versions prior to 2.1.3, update to version 2.1.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the ajax image upload and ajax resize image functions to minimize the risk of exploitation. Avoid using the user id parameter in the affected API endpoints until the issue is resolved.